Pages

Friday, July 6, 2012

AppArmor is an important security feature that’s been included by default with Ubuntu since Ubuntu 7.10. However, it runs silently in the background, so you may not be aware of what it is and what it’s doing.

AppArmor locks down vulnerable processes, restricting the damage security vulnerabilities in these processes can cause. AppArmor can also be used to lock down Mozilla Firefox for increased security, but it doesn’t do this by default.

What is AppArmor?

AppArmor is similar to SELinux, used by default in Fedora and Red Hat. While they work differently, both AppArmor and SELinux provide “mandatory access control” (MAC) security. In effect, AppArmor allows Ubuntu’s developers to restrict the actions processes can take.

For example, one application that’s restricted in Ubuntu’s default configuration is the Evince PDF viewer. While Evince may run as your user account, it can only take specific actions. Evince only has the bare minimum of permissions needed to run and work with PDF documents. If a vulnerability were discovered in Evince’s PDF renderer and you opened a malicious PDF document that took over Evince, AppArmor would restrict the damage Evince could do. In the traditional Linux security model, Evince would have access to everything you have access to. With AppArmor, it only has access to things that a PDF viewer needs access to.

AppArmor is particularly useful for restricting software that may be exploited, such as a web browser or server software.

Viewing AppArmor’s Status

To view AppArmor’s status, run the following command in a terminal:

sudo apparmor_status

You’ll see whether AppArmor is running on your system (it’s running by default), the AppArmor profiles that are installed, and the confined processes that are running.

AppArmor Profiles

In AppArmor, processes are restricted by profiles. The list above shows us the protocols that are installed on the system – these ones come with Ubuntu. You can also install other profiles by installing the apparmor-profiles package. Some packages – server software, for example – may come with their own AppArmor profiles that are installed on the system along with the package. You can also create your own AppArmor profiles to restrict software.

Profiles can run in “complain mode” or “enforce mode.” In enforce mode – the default setting for the profiles that come with Ubuntu – AppArmor prevents applications from taking restricted actions. In complain mode, AppArmor allows applications to take restricted actions and creates a log entry complaining about this. Complain mode is ideal for testing an AppArmor profile before enabling it in enforce mode – you’ll see any errors that would occur in enforce mode.

Profiles are stored in the /etc/apparmor.d directory. These profiles are plain-text files that can contain comments.

Enabling AppArmor For Firefox

You may also notice that AppArmor comes with a Firefox profile – it’s the usr.bin.firefoxfile in the /etc/apparmor.d directory. It isn’t enabled by default, as it may restrict Firefox too much and cause problems. The /etc/apparmor.d/disable folder contains a link to this file, indicating that it’s disabled.

To enable the Firefox profile and confine Firefox with AppArmor, run the following commands:

sudo rm /etc/apparmor.d/disable/usr.bin.firefox

cat /etc/apparmor.d/usr.bin.firefox | sudo apparmor_parser –a

After you run these commands, run the sudo apparmor_status command again and you’ll see that the Firefox profiles are now loaded.

To disable the Firefox profile if it’s causing problems, run the following commands:

sudo ln -s /etc/apparmor.d/usr.bin.firefox /etc/apparmor.d/disable/

sudo apparmor_parser -R /etc/apparmor.d/usr.bin.firefox

For more detailed information about using AppArmor, consult the official Ubuntu Serve